An advanced persistent threat (APT) generally involves a computer network attack in which an unauthorized person gains access to the network and implants a file or program (e.g., malware) that remains undetected for a sustained period. APT attacks may be intended to steal data rather than to damage the network. APT attacks may target organizations in sectors with high-value information, such as national defense, manufacturing, and the financial industry. An APT attack may occur in multiple phases to break into a network, avoid detection, and extract valuable and sensitive information over time. The many APT variations make it difficult to protect computers and computer networks from APT attacks. While APT attacks are stealthy and hard to detect, certain aspects of an APT attack. For example, deep log analyses and log correlation from various sources may be useful in detecting APT attacks, and agents may be used to collect log data directly from computers operating on the network.
In addition to protecting against APTs, computer users may be concerned about the amount of access a computer application may have to specific computer resources and devices. This access may be referred to as privilege. Privilege also refers to how much a user or an application may modify a computer system. In some computer systems, both users and applications may be assigned more privileges than the users or applications should have, and malware can take advantage of these over-privilege conditions.
Some computer systems do not distinguish between an administrator or root and non-administrator users of the computer system, and allow all users of the computer system to modify the computer system's internal structures. Such computer systems are vulnerable to malware through the computer system's privilege structure. Some computer systems allow code executed by a user to access all rights of that user. In these computer systems, malware, running as over-privileged code, can use this privilege to subvert the computer system. Many computer operating systems use scripting applications to control access to computer resources; when the scripting applications execute, the computer system allows applications all privilege rights of that user. Thus, these computer systems also are vulnerable to malware through the computer system's privilege structure. In a specific example, use of over-privileged code makes computer systems vulnerable to malware in the form of e-mail attachments, which may or may not be disguised.